Preventing a Blackout by Taking the Power Grid Offline
What can stop hackers from turning off America’s lights? Old-school equipment that’s not connected to the web.
With hackers attacking electrical grids, banks, and a growing list of other targets, some policymakers and security researchers are calling for turning the clock back to an earlier era when devices weren’t connected to the internet — or vulnerable to digital attack.
The American power grid is more efficient than ever before because electricity plants, transformers, and other key pieces of infrastructure are networked together, allowing for electricity to be redirected in real time from areas with too much to those needing more.
The problem is that those gains have also left the overall system open to attack. Power stations and grids run by network-connected computer control systems can be hacked to cause widespread power outages.
American intelligence officials have long warned that the U.S. grid would represent a ripe target in a time of war, and U.S. adversaries are heavily investing in the capabilities to take it down. In Ukraine, hackers attacked a portion of the country’s grid over Christmas and succeeded in knocking out power for thousands of customers in the middle of the bitter winter. Officials in Kiev quickly pointed the finger at Moscow for the unprecedented attack, but the Kremlin denied responsibility.
Desperately looking for new ways of shoring up the U.S. grid’s defenses against digital attack, a bipartisan group of lawmakers is pushing a decidedly counterintuitive approach to cybersecurity: ditching cutting-edge digital technology for old-school analog control mechanisms.
This week, four senators on the Intelligence Committee — Angus King (I-Maine), James Risch (R-Idaho), Martin Heinrich (D-N.M.), and Susan Collins (R-Maine) — introduced legislation that would set aside $10 million to study security vulnerabilities on the electrical grid and come up with solutions for them, including what the bill’s backers call a “retro” approach to grid security.
“We can learn something from what happened in Ukraine,” King said during remarks on the Senate floor this week. “It may be that going back to the future, if you will, going back to the past and simplifying some of these critical connection points may be the best protection that we can have.”
For now, at least, security engineers aren’t investing in these types of retro devices. Security-focused start-ups aren’t working on analog solutions, and engineering talent is more often focused on designing higher-tech tools, not turning back the clock to older ones. Analog security devices are widely available, but engineers aren’t usually focused on integrating them into computerized control systems.
And that’s one reason why many cybersecurity experts are excited about the legislation introduced this week. “When the government invests in areas where there is no market, that’s exactly what we want to see,” said Robert M. Lee, an instructor at the SANS Institute and a former cyberwarfare operations officer for the U.S. Air Force.
He and other security experts say a “retro” approach makes a great deal of sense. Michael Assante, the head of industrial control systems at the SANS Institute, which provides cybersecurity training to security professionals, said utilities would be wise to integrate tools that aren’t connected to networks or are completely analog into a sophisticated control system.
Researchers at the engineering consulting firm Kenexis have come up with similar proposals to use mechanical technology as a cybersecurity measure. In recent years, designers of high-speed rotating systems such as centrifuges have used computers to control them from moving too fast, a shift that has left them vulnerable to hacks like the Stuxnet attack on Iran’s nuclear facilities.
A simple, spring-based design can be used to prevent hackers from getting the centrifuges to spin too fast. As a spinning object gains speed, a spring with a weight at its end will be pulled toward the system’s edge by the centrifugal force. When the spring reaches the point defined as the maximum speed, it trips a relief valve, venting steam or whatever powers the mechanism. That’s a design that cannot be hacked.
The challenge is that business incentives are firmly aligned against such a move. In recent years, companies of all types have been installing sensors on devices and networking equipment at a furious pace. Placing sensors and computerized controls on every valve on thousands of miles of pipeline, for example, allows a gas company to precisely control the pressure in its equipment. Such fine calibration can result in huge savings — savings that could be lost if those sensors were replaced by less sophisticated analog equipment.
Boardrooms and investors are constantly looking for gains in productivity and efficiency, and the networking of devices and sensors forms the core of what is touted as the “big data” revolution. Many executives believe that type of information will be the main driver of 21st-century productivity gains, but security experts question whether executives and corporate board members truly understand the increased risk that comes with the ubiquitous networking of computers and sensors.
“It’s a fight for visibility. Do we want more visibility and less security? Or less visibility and more security?” Lee said.
Assante was one of the authors behind an October 2015 paper that helped inspire the legislation. That paper drew on a bit of science fiction to help illustrate its argument. In the Battlestar Galactica television series, humanity finds its defenses and ships “devastated by a hostile series of cyber attacks, with only one spaceship surviving,” Assante and his co-authors wrote. “The outdated destroyer, Battlestar Galactica, last in line for the fleet-wide upgrade to digital controls, proves to be immune to cyber attacks and lives to fight another day.”
Assante told Foreign Policy that he is a proponent of what he calls “hybrid systems” and that he wants no part of what he described as a “digital backlash.” Rather, he argues that the use of analog or non-networked devices alongside advanced, modern control systems can foil the tactics used by the most advanced hackers.
When U.S. and Israeli hackers targeted the Iranian nuclear program with the Stuxnet virus, for example, they damaged the centrifuges at the Natanz facility by causing them to abnormally speed up and slow down. The hackers fooled operators in the Natanz control room into thinking their centrifuges were running normally. They recorded performance data from the devices during normal operation and then played that data back to the control room when executing the attack.
“The advent of Stuxnet led to engineers wondering, ‘Boy, what would happen if someone turned this against my plant?’” Assante said.
Engineers are now thinking of ways to guard against sophisticated digital attacks, in part by relying on technology that predates the internet revolution. Designers at the Langner Group, a cybersecurity consultancy for critical infrastructure and manufacturing firms, have, for example, developed a concept system for what the company calls an “analog logic controller.”
The analog system would perform many of the functions of a programmable logic controller, a computer that lies at the heart of industrial operations. As the name implies, PLCs can be programmed to carry out a wide variety of tasks. But the fact that they can be programmed also means that they can be taken over and used for sabotage.
Langner’s proposal takes the software of a PLC and wires it into a circuit board, rather than relying on software that can be modified.
Analog technology continues to be a feature of some industrial safety systems, and the Langner device may be one way to keep such technology in place — including on nuclear reactors. “If things go sideways, the safety systems that prevent a meltdown are still analog,” said Perry Pederson, a co-founder of Langner.
For now, Assante says these engineering approaches are most likely to be limited to safety mechanisms, where analog systems can be implemented without disrupting a company’s business model. Some electrical utilities are beginning to install backup, non-networked protective relays at their substations. These relays are crucial to the operation of an electrical grid and can be manipulated by an attacker to disrupt the power. By keeping these devices off the network, utilities protect them from cyberattack.
But for every advocate of a back-to-basics engineering approach, there’s also a cybersecurity vendor claiming he can protect your computer systems from attack — and keep your business model intact. “You cannot back away from the network,” Faizel Lakhani, the president and COO of SS8, a cybersecurity firm. “We built a system that analyzes network traffic and then builds in the ability to wind the clock back.”
Companies such as SS8, which Lakhani says counts “six of the world’s largest intelligence agencies” as clients, are legion in 2016. They monitor networks and attempt to spot abnormalities and block attacks — using the same kind of big data analytics that companies are utilizing for productivity gains. Lakhani calls it a “wrapper” around a network “that can help you understand whether it’s behaving the way you expect.”
That business argument points to the many economic forces stacked against Assante’s more conservative engineering approach. Executives seek productivity gains in computer networking, while a burgeoning cybersecurity industry pledges it can keep all those computers safe.
Photo credit: Sean Gallup/Getty Images